Sandbox Management
Overview
Function Introduction
OpenHarmony supports two types of sandbox, namely, system sandbox and chipset sandbox.
Basic Concepts
The system sandbox and chipset sandbox are created in the init module. Native services choose to enter the system sandbox or chipset sandbox based on their functions. Sandbox components can be isolated through the mount attribute if mount-bind-paths or mount-bind-files is set for them in configuration files such as system-sandbox.json and chipset-sandbox.json. In addition, a sandbox debugging tool is provided to facilitate sandbox debugging, verification, and optimization. For details about commands, see Description of begetctl Commands.
Constraints
The sandbox management module is available only for the standard system.
How to Develop
Parameter Description
Table 1 Parameters in the sandbox configuration file
JSON Prefix | Description |
---|---|
sandbox-root | Root directory of the sandbox. |
mount-bind-paths | Directory to mount. |
mount-bind-files | File to mount. |
src-path | Source path of the directory or file to mount. |
sandbox-path | Target path in the sandbox. |
sandbox-flags | Mount flag. The default value is bind rec. |
ignore | Whether to ignore a mounting failure. If the value is set to 1, the system ignores the mounting failure and proceeds with the subsequent step. |
target-name | Directory to link. |
link-name | Target link in the sandbox. |
Table 2 Description of sandbox configuration files
Sandbox Configuration File | Description |
---|---|
chipset-sandbox64.json | Chipset sandbox configuration file for the 64-bit system |
chipset-sandbox.json | Chipset sandbox configuration file for the 32-bit system |
system-sandbox64.json | System sandbox configuration file for the 64-bit system |
system-sandbox.json | System sandbox configuration file for the 32-bit system |
Available APIs
Logical storage structure of the sandbox:
// Main functions
// name is "system" or "chipset"
bool InitSandboxWithName(const char *name); // Parsing to the JSON structure
typedef struct {
ListNode pathMountsHead; // sandbox mount_path list head
ListNode fileMountsHead; // sandbox mount_file list head
ListNode linksHead; // sandbox symbolic link list head
char *rootPath; // /mnt/sandbox/system|vendor|xxx
char name[MAX_BUFFER_LEN]; // name of sandbox. i.e system, chipset etc.
bool isCreated; // sandbox already created or not
int ns; // namespace
} sandbox_t;
Procedure
-
Create a sandbox.
- Create a system or chipset sandbox and configure the corresponding system-sandbox.json or chipset-sandbox.json file. For details about how to configure the JSON file, see Sandbox JSON File Configuration.
- By default, the sandbox function of a service is enabled. If you do not want to move the service to the sandbox, set sandbox to 0 in the .cfg file. Otherwsie, set sandbox to 1.
"sandbox" : 1
-
Modify the JSON file configuration of the sandbox.
- Go to the /system/etc/sandbox/ directory, and run cat system-sandbox.json and cat chipset-sandbox.json. If you are using a 64-bit system, run cat system-sandbox64.json and cat chipset-sandbox64.json instead.
- Modify the sandbox configuration files in the base/startup/init/interfaces/innerkits/sandbox directory. After that, restart the system.
Development Example
JSON file configuration of the sandbox:
{
"sandbox-root" : "/mnt/sandbox/system",
"mount-bind-paths" : [{
"src-path" : "/system/lib/ndk",
"sandbox-path" : "/system/lib/ndk",
"sandbox-flags" : [ "bind", "rec", "private" ]
}],
"mount-bind-files" : [{
"src-path" : "/system/lib/ld-musl-aarch64.so.1",
"sandbox-path" : "/system/lib/ld-musl-aarch64.so.1",
"sandbox-flags" : [ "bind", "rec", "private" ]
}],
"symbol-links" : [{
"target-name" : "/vendor/lib",
"link-name" : "/lib"
}]
}
FAQs
-
Cause Analysis Related services cannot access required resource files such as .so file.
-
Solution Check the hilog information, analyze the failure cause, enter the path of the corresponding .so file on the device, and modify the BUILD.gn file as appropriate. The operation procedure is as follows:
-
Search for keyword failed or .so in hilog.
08-05 17:27:29.302 488 488 E C02500/driver_loader_full: get driver entry failed, /vendor/lib/libcamera_host_service_1.0.z.so load fail, Error loading shared library libdisplay_buffer_proxy_1.0.z.so: No such file or directory (needed by /system/lib/chipset-pub-sdk/libdisplay_buffer_hdi_impl.z.so) 08-05 17:27:29.303 488 488 E C02500/devhost_service_full: DevHostServiceAddDevice failed and return -207 08-05 17:27:29.305 488 488 E C02500/devhost_service_stub: Dis patch failed, add service failed and ret is -207 08-05 17:27:29.307 488 488 I C02500/devhost_service_stub: add device 0x7000201 08-05 17:27:29.308 488 488 E C02500/driver_loader_full: /vendor/lib/libhdi_media_layer_service.z.so no valid, errno:2
-
As shown in the preceding search result, the camera error is caused by the libdisplay_buffer_proxy_1.0.z.so loading failure. To rectify the fault, you can mount the file in the sandbox for quick recovery, or modify the corresponding BUILD.gn file.
-
Method 1: Mount the file in the sandbox for quick recovery. (Only local debugging is supported, and source code modification needs to be reviewed.)
-
System sandbox: Edit the /system/etc/sandbox/system-sandbox.json file on the device. By default, only some files in the /vendor directory are mounted. If an error is reported, mount the files separately.
-
Chipset sandbox: Edit the /system/etc/sandbox/chipset-sandbox.json file on the device. By default, only some files in the /system directory are mounted. If an error is reported, mount the files separately.
-
For the preceding case, add the following information to /system/etc/sandbox/chipset-sandbox.json:
"mount-bind-files" : [ { "src-path" : "/system/lib/libdisplay_buffer_proxy_1.0.z.so", "sandbox-path" : "/system/lib/libdisplay_buffer_proxy_1.0.z.so", "sandbox-flags" : [ "bind", "rec", "private" ] },{...} ],
-
-
Method 2: Add innerapi_tags to the BUILD.gn file.
ohos_shared_library("xxx") { ... innerapi_tags = [ "chipsetsdk", ] }
-
Description of innerapi_tags:
-
Tags related to sandbox permissions include passthrough, chipsetsdk, passthrough_indirect, and chipsetsdk_indirect.
-
You can view the so information on the OpenHarmony website. For indirectly dependent modules, use chipsetsdk_indirect or passthrough_indirect. For other modules, use chipsetsdk or passthrough.
-
For the .so files installed in the system directory, use chipsetsdk and chipsetsdk_indirect for access by chip components.
-
For the .so files installed in the chip directory, use passthrough and passthrough_indirect for access by system components.
-
You can add innerapi_tags to specify the installation path of .so files. For example, if chipsetsdk is set, .so files are installed in the /lib/chipset-sdk/ directory. The source code is available at build/templates/cxx/cxx.gni.
# auto set auto_relative_install_dir by innerapi_tags if (defined(invoker.innerapi_tags)) { is_chipsetsdk = false is_platformsdk = false is_passthrough = false foreach(tag, filter_include(invoker.innerapi_tags, [ "chipsetsdk*" ])) { is_chipsetsdk = true } foreach(tag, filter_include(invoker.innerapi_tags, [ "platformsdk*" ])) { is_platformsdk = true } foreach(tag, filter_include(invoker.innerapi_tags, [ "passthrough*" ])) { is_passthrough = true } if (is_chipsetsdk && is_platformsdk) { auto_relative_install_dir = "chipset-pub-sdk" } else if (is_chipsetsdk) { auto_relative_install_dir = "chipset-sdk" } else if (is_platformsdk) { auto_relative_install_dir = "platformsdk" } if (is_passthrough) { auto_relative_install_dir = chipset_passthrough_dir } ... }
-
-
-